Groundhog Day: The Cyclical Nature of InfoSec & How We Can Break the Cycle

In the classic movie Groundhog Day, the main character played by Bill Murray finds himself trapped reliving the exact same day over and over again. In the film, he eventually decides to make the day better, to right as many wrongs as possible eventually leading him to escape the loop. In a similar fashion, information security in general has been stuck in a Groundhog Day type of loop for at least a couple of decades, and unless we can make some changes we can expect more futility as we fight the uphill battle of information security.

Just because we have been stuck in this endless loop doesn’t mean there is no hope. Quite the opposite in fact. We as an industry just need to open our collective minds, eyes, and ears, and be willing to try things differently than we have thus far. While I am using healthcare as the primary example, these same issues apply to virtually any vertical. Those industries that were flourishing before computers are the most affected.

For a Long, Long Time…

To fully understand the issues information security (infosec) is facing today, it is key to understand why we are having this problem. The fact is that IT has forced its way into most industries despite friction with the traditional and common methods that were developed over generations of trial and error. If you take the medical field as an example, there are some effects of this friction that are obvious even to those of us that are not directly in the healthcare field.

For as long as there’s been society, there have been medical practitioners of some kind. Over the course of hundreds of years, people were practicing medicine. Developing methodologies, processes, and practices took generations of trial and error to perfect. Now with the forced EHR integrations and technology, healthcare professionals are spending significantly more time in front of a screen, which is easy to see how they could be frustrated. This, I think, is a big part of why information security is struggling so much more in the older, previously established industries.

Like a Bull in a China Shop

About 50 years ago computers came into the scene. Then, about two decades ago the IT “bull” started rearing and forcing itself into every industry it could. The hard-won methods were dashed to one million pieces like the china in a shop after the bull has come through. IT in general has been pushed hard. Everyone has worked to interject the latest technology into every aspect of every industry it could. Healthcare is just a great example.

This entire “integration” took place over a shockingly short period of time (less than a single generation). Therefore, many shortcuts were taken to ensure implementation happened in the tight timeframe that was seemingly arbitrarily decided upon. Think for a minute about how long it took for doctors and healthcare professionals to build the methods and techniques they used for generations before computers came along.

Their practices – and ability to provide care – were as close as they could get to a finely-tuned machine. They were helping a lot of patients every day, possibly more than their modern counterparts. All (ostensibly) medical facilities now use electronic health records (EHR) and computers for most other work. Many older doctors I have talked to tell me they spend more time with computers and less time with patients than they ever did before.

But, How Do We Fix That?

Analyze how things used to be done versus the current method.

Adapt current methods to more closely resemble those but in a way that keeps PHI protected.

Get the end-users more involved in the process.

Shadow the user (e.g. physician) that has to use the technology and understand how it impacts the front line. Then design security to work with the processes that work for the user instead of forcing the users to work with the security processes.

This deeply rooted problem is clearly evidenced by the headlines about breaches for the last decade. In fact, if you take a moment to look at this article from Forbes, you will see the top five industries at highest risk from cyberattacks include healthcare, manufacturing, financial services, government, and transportation. You’ll notice that this list is also the five largest industries that have been around since long before Alan Turing was even born, let alone computers.

We need to take a step back before it’s too late and work out a better way to do this. Auditing your organization’s standards and practices will illuminate a vast number of issues that most enterprises don’t ever notice. How many of your policies and standards are actually followed in practice? We can no longer rely on the method of fixing problems as they come our way. Instead, we must be proactive, look for the issues and the kinks in the armor, and fix them before it is too late.